lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <OF5B457772.5235C9A1-ON48257B4F.002A2C13-48257B4F.002A691B@zte.com.cn>
Date:	Tue, 16 Apr 2013 15:43:07 +0800
From:	wang.bo116@....com.cn
To:	linux-mtd@...ts.infradead.org
Cc:	richard.weinberger@...il.com, linux-kernel@...r.kernel.org,
	liu.dong3@....com.cn, cui.yunfeng@....com.cn, wang.bo116@....com.cn
Subject: [PATCH] UBI: fix memory leak when use fastmap

Hello,
    Sorry, there is something wrong with the previous patch's format, try 
to submit it again.
When use ubi fastmap, there is a memory leak which will make destroy_ai() 
fail to free the slab.
The following patch base on linux-3.9-rc6 fix this problem.


diff -uprN old_ubi/attach.c new_ubi/attach.c
--- old_ubi/attach.c    2013-04-08 03:49:54.000000000 +0000
+++ new_ubi/attach.c    2013-04-16 03:22:47.343750000 +0000
@@ -1212,6 +1212,30 @@ static void destroy_ai(struct ubi_attach
        kfree(ai);
 }
 
+static struct ubi_attach_info *alloc_ai(const char *slab_name)
+{
+       struct ubi_attach_info *ai;
+
+       ai = kzalloc(sizeof(struct ubi_attach_info), GFP_KERNEL);
+       if (!ai)
+               return ai;
+
+       INIT_LIST_HEAD(&ai->corr);
+       INIT_LIST_HEAD(&ai->free);
+       INIT_LIST_HEAD(&ai->erase);
+       INIT_LIST_HEAD(&ai->alien);
+       ai->volumes = RB_ROOT;
+       ai->aeb_slab_cache = kmem_cache_create(slab_name,
+                                          sizeof(struct ubi_ainf_peb),
+                                              0, 0, NULL);
+       if (!ai->aeb_slab_cache) {
+               kfree(ai);
+               ai = NULL;
+       }
+
+       return ai;
+}
+
 /**
  * scan_all - scan entire MTD device.
  * @ubi: UBI device description object
@@ -1315,8 +1339,13 @@ static int scan_fast(struct ubi_device *
        int err, pnum, fm_anchor = -1;
        unsigned long long max_sqnum = 0;
 
+       struct ubi_attach_info *fm_temp_ai = NULL;
        err = -ENOMEM;
 
+       fm_temp_ai = alloc_ai("ubi_scan_fastmap_slab_cache");
+       if (!fm_temp_ai)
+               goto out;
+
        ech = kzalloc(ubi->ec_hdr_alsize, GFP_KERNEL);
        if (!ech)
                goto out;
@@ -1331,7 +1360,7 @@ static int scan_fast(struct ubi_device *
                cond_resched();
 
                dbg_gen("process PEB %d", pnum);
-               err = scan_peb(ubi, ai, pnum, &vol_id, &sqnum);
+               err = scan_peb(ubi, fm_temp_ai, pnum, &vol_id, &sqnum);
                if (err < 0)
                        goto out_vidh;
 
@@ -1343,6 +1372,7 @@ static int scan_fast(struct ubi_device *
 
        ubi_free_vid_hdr(ubi, vidh);
        kfree(ech);
+       destroy_ai(fm_temp_ai);
 
        if (fm_anchor < 0)
                return UBI_NO_FASTMAP;
@@ -1351,6 +1381,7 @@ static int scan_fast(struct ubi_device *
 
 out_vidh:
        ubi_free_vid_hdr(ubi, vidh);
+       destroy_ai(fm_temp_ai);
 out_ech:
        kfree(ech);
 out:
@@ -1359,29 +1390,6 @@ out:
 
 #endif
 
-static struct ubi_attach_info *alloc_ai(const char *slab_name)
-{
-       struct ubi_attach_info *ai;
-
-       ai = kzalloc(sizeof(struct ubi_attach_info), GFP_KERNEL);
-       if (!ai)
-               return ai;
-
-       INIT_LIST_HEAD(&ai->corr);
-       INIT_LIST_HEAD(&ai->free);
-       INIT_LIST_HEAD(&ai->erase);
-       INIT_LIST_HEAD(&ai->alien);
-       ai->volumes = RB_ROOT;
-       ai->aeb_slab_cache = kmem_cache_create(slab_name,
-                                          sizeof(struct ubi_ainf_peb),
-                                              0, 0, NULL);
-       if (!ai->aeb_slab_cache) {
-               kfree(ai);
-               ai = NULL;
-       }
-
-       return ai;
-}
 
 /**
  * ubi_attach - attach an MTD device.
@@ -1419,7 +1427,7 @@ int ubi_attach(struct ubi_device *ubi, i
                                        return -ENOMEM;
                        }
 
-                       err = scan_all(ubi, ai, UBI_FM_MAX_START);
+                       err = scan_all(ubi, ai, 0);
                }
        }
 #else
 
 
diff -uprN old_ubi/fastmap.c new_ubi/fastmap.c
--- old_ubi/fastmap.c   2013-04-08 03:49:54.000000000 +0000
+++ new_ubi/fastmap.c   2013-04-16 03:22:17.468750000 +0000
@@ -552,21 +552,8 @@ static int ubi_attach_fastmap(struct ubi
        INIT_LIST_HEAD(&used);
        INIT_LIST_HEAD(&free);
        INIT_LIST_HEAD(&eba_orphans);
-       INIT_LIST_HEAD(&ai->corr);
-       INIT_LIST_HEAD(&ai->free);
-       INIT_LIST_HEAD(&ai->erase);
-       INIT_LIST_HEAD(&ai->alien);
-       ai->volumes = RB_ROOT;
        ai->min_ec = UBI_MAX_ERASECOUNTER;
 
-       ai->aeb_slab_cache = kmem_cache_create("ubi_ainf_peb_slab",
-                                          sizeof(struct ubi_ainf_peb),
-                                              0, 0, NULL);
-       if (!ai->aeb_slab_cache) {
-               ret = -ENOMEM;
-               goto fail;
-       }
-
        fmsb = (struct ubi_fm_sb *)(fm_raw);
        ai->max_sqnum = fmsb->sqnum;
        fm_pos += sizeof(struct ubi_fm_sb);

 

Signed-off-by: Wang bo <wang.bo116@....com.cn>
Tested-by: Wang bo <wang.bo116@....com.cn>
Reviewed-by: Cui Yunfeng <cui.yunfeng@....com.cn>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ